Rest API Basics Tutorial

Author: codingforentrepreneurs

src/cfehome/settings.py

@@ -125,12 +125,12 @@
 
 REST_FRAMEWORK = {
     'DEFAULT_PERMISSION_CLASSES': (
-        'rest_framework.permissions.IsAuthenticated',
+        'rest_framework.permissions.IsAuthenticatedOrReadOnly',
     ),
     'DEFAULT_AUTHENTICATION_CLASSES': (
         'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
         'rest_framework.authentication.SessionAuthentication',
-        'rest_framework.authentication.BasicAuthentication',
+        #'rest_framework.authentication.BasicAuthentication',
     ),
 }
 

src/cfehome/urls.py

@@ -15,8 +15,11 @@
 """
 from django.conf.urls import url, include
 from django.contrib import admin
+from rest_framework_jwt.views import obtain_jwt_token
 
 urlpatterns = [
     url(r'^admin/', admin.site.urls),
+    url(r'^api/auth/login/$', obtain_jwt_token, name='api-login'),
     url(r'^api/postings/', include('postings.api.urls', namespace='api-postings')),
 ]
+

src/db.sqlite3

@@ -2,6 +2,8 @@
     - Retrieve Update Delete
     - Create & List & Search 
 
+    - Permissions???? JWT
+
 2. HTTP methods
     - GET, POST, PUT, PATCH, DELETE
 

src/postings/api/notes.md

@@ -0,0 +1,16 @@
+from rest_framework import permissions
+
+class IsOwnerOrReadOnly(permissions.BasePermission):
+    """
+    Object-level permission to only allow owners of an object to edit it.
+    Assumes the model instance has an `owner` attribute.
+    """
+
+    def has_object_permission(self, request, view, obj):
+        # Read permissions are allowed to any request,
+        # so we'll always allow GET, HEAD or OPTIONS requests.
+        if request.method in permissions.SAFE_METHODS:
+            return True
+
+        # Instance must have an attribute named `owner`.
+        return obj.owner == request.user

src/postings/api/permissions.py

@@ -4,15 +4,31 @@
 
 
 class BlogPostSerializer(serializers.ModelSerializer): # forms.ModelForm
+    url         = serializers.SerializerMethodField(read_only=True)
     class Meta:
         model = BlogPost
         fields = [
-            'pk',
+            'url',
+            'id',
             'user',
             'title',
             'content',
             'timestamp',
         ]
+        read_only_fields = ['id', 'user']
 
     # converts to JSON
-    # validations for data passed
+    # validations for data passed
+
+    def get_url(self, obj):
+        # request
+        request = self.context.get("request")
+        return obj.get_api_url(request=request)
+
+    def validate_title(self, value):
+        qs = BlogPost.objects.filter(title__iexact=value) # including instance
+        if self.instance:
+            qs = qs.exclude(pk=self.instance.pk)
+        if qs.exists():
+            raise serializers.ValidationError("This title has already been used")
+        return value

src/postings/api/serializers.py

@@ -0,0 +1,141 @@
+from rest_framework import status
+from rest_framework.test import APITestCase
+
+from rest_framework_jwt.settings import api_settings
+
+payload_handler = api_settings.JWT_PAYLOAD_HANDLER
+encode_handler  = api_settings.JWT_ENCODE_HANDLER
+
+from django.contrib.auth import get_user_model
+from rest_framework.reverse import reverse as api_reverse
+
+# automated
+# new / blank db
+
+from postings.models import BlogPost
+User = get_user_model()
+
+class BlogPostAPITestCase(APITestCase):
+    def setUp(self):
+        user_obj = User(username='testcfeuser', email='[email protected]')
+        user_obj.set_password("somerandopassword")
+        user_obj.save()
+        blog_post = BlogPost.objects.create(
+                user=user_obj, 
+                title='New title', 
+                content='some_random_content'
+                )
+
+
+    def test_single_user(self):
+        user_count = User.objects.count()
+        self.assertEqual(user_count, 1)
+
+    def test_single_post(self):
+        post_count = BlogPost.objects.count()
+        self.assertEqual(post_count, 1)
+
+    def test_get_list(self):
+        # test the get list
+        data = {}
+        url = api_reverse("api-postings:post-listcreate")
+        response = self.client.get(url, data, format='json')
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        # print(response.data)
+
+    def test_post_item(self):
+        # test the get list
+        data = {"title": "Some rando title", "content": "some more content"}
+        url = api_reverse("api-postings:post-listcreate")
+        response = self.client.post(url, data, format='json')
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+
+    def test_get_item(self):
+        # test the get list
+        blog_post = BlogPost.objects.first()
+        data = {}
+        url = blog_post.get_api_url()
+        response = self.client.get(url, data, format='json')
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+    def test_update_item(self):
+        # test the get list
+        blog_post = BlogPost.objects.first()
+        url = blog_post.get_api_url()
+        data = {"title": "Some rando title", "content": "some more content"}
+        response = self.client.post(url, data, format='json')
+        self.assertEqual(response.status_code, status.HTTP_405_METHOD_NOT_ALLOWED)
+        response = self.client.put(url, data, format='json')
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+
+    def test_update_item_with_user(self):
+        # test the get list
+        blog_post = BlogPost.objects.first()
+        #print(blog_post.content)
+        url = blog_post.get_api_url()
+        data = {"title": "Some rando title", "content": "some more content"}
+        user_obj = User.objects.first()
+        payload  = payload_handler(user_obj)
+        token_rsp = encode_handler(payload)
+        self.client.credentials(HTTP_AUTHORIZATION='JWT ' + token_rsp) # JWT <token>
+        response = self.client.put(url, data, format='json')
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        #print(response.data)
+
+    def test_post_item_with_user(self):
+        # test the get list
+        user_obj = User.objects.first()
+        payload  = payload_handler(user_obj)
+        token_rsp = encode_handler(payload)
+        self.client.credentials(HTTP_AUTHORIZATION='JWT ' + token_rsp)
+        data = {"title": "Some rando title", "content": "some more content"}
+        url = api_reverse("api-postings:post-listcreate")
+        response = self.client.post(url, data, format='json')
+        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
+
+
+    def test_user_ownership(self):
+        # test the get list
+        owner = User.objects.create(username='testuser22222')
+        blog_post = BlogPost.objects.create(
+                user=owner, 
+                title='New title', 
+                content='some_random_content'
+                )
+
+        user_obj            = User.objects.first()
+        self.assertNotEqual(user_obj.username, owner.username)
+        payload             = payload_handler(user_obj)
+        token_rsp           = encode_handler(payload)
+        self.client.credentials(HTTP_AUTHORIZATION='JWT ' + token_rsp)
+        url = blog_post.get_api_url()
+        data = {"title": "Some rando title", "content": "some more content"}
+        response = self.client.put(url, data, format='json')
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    def test_user_login_and_update(self):
+        data = {
+            'username': 'testcfeuser',
+            'password': 'somerandopassword'
+        }
+        url = api_reverse("api-login")
+        response = self.client.post(url, data)
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        token = response.data.get("token")
+        if token is not None:
+            blog_post = BlogPost.objects.first()
+            #print(blog_post.content)
+            url = blog_post.get_api_url()
+            data = {"title": "Some rando title", "content": "some more content"}
+            self.client.credentials(HTTP_AUTHORIZATION='JWT ' + token) # JWT <token>
+            response = self.client.put(url, data, format='json')
+            self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+
+
+
+
+
+# request.post(url, data, headers={"Authorization": "JWT " + <token> })

src/postings/api/tests.py

@@ -1,7 +1,9 @@
 from django.conf.urls import url
 
 
-from .views import BlogPostRudView
+from .views import BlogPostRudView, BlogPostAPIView
+
 urlpatterns = [
+    url(r'^$', BlogPostAPIView.as_view(), name='post-listcreate'),
     url(r'^(?P<pk>\d+)/$', BlogPostRudView.as_view(), name='post-rud')
 ]   

src/postings/api/urls.py

@@ -1,19 +1,50 @@
 # generic
 
-
-from rest_framework import generics
+from django.db.models import Q
+from rest_framework import generics, mixins
 
 from postings.models import BlogPost
+from .permissions import IsOwnerOrReadOnly
 from .serializers import BlogPostSerializer
 
+
+class BlogPostAPIView(mixins.CreateModelMixin, generics.ListAPIView): # DetailView CreateView FormView
+    lookup_field            = 'pk' # slug, id # url(r'?P<pk>\d+')
+    serializer_class        = BlogPostSerializer
+    #queryset                = BlogPost.objects.all()
+
+    def get_queryset(self):
+        qs = BlogPost.objects.all()
+        query = self.request.GET.get("q")
+        if query is not None:
+            qs = qs.filter(
+                    Q(title__icontains=query)|
+                    Q(content__icontains=query)
+                    ).distinct()
+        return qs
+
+    def perform_create(self, serializer):
+        serializer.save(user=self.request.user)
+
+    def post(self, request, *args, **kwargs):
+        return self.create(request, *args, **kwargs)
+
+    def get_serializer_context(self, *args, **kwargs):
+        return {"request": self.request}
+
+
 class BlogPostRudView(generics.RetrieveUpdateDestroyAPIView): # DetailView CreateView FormView
     lookup_field            = 'pk' # slug, id # url(r'?P<pk>\d+')
     serializer_class        = BlogPostSerializer
+    permission_classes      = [IsOwnerOrReadOnly]
     #queryset                = BlogPost.objects.all()
 
     def get_queryset(self):
         return BlogPost.objects.all()
 
+    def get_serializer_context(self, *args, **kwargs):
+        return {"request": self.request}
+
     # def get_object(self):
     #     pk = self.kwargs.get("pk")
     #     return BlogPost.objects.get(pk=pk)

src/postings/api/views.py

@@ -1,7 +1,10 @@
 from django.conf import settings
 from django.db import models
+from django.urls import reverse
 
+from rest_framework.reverse import reverse as api_reverse
 
+# django hosts --> subdomain for reverse
 
 class BlogPost(models.Model):
     # pk aka id --> numbers
@@ -11,4 +14,14 @@ class BlogPost(models.Model):
     timestamp   = models.DateTimeField(auto_now_add=True)
 
     def __str__(self):
-        return str(self.user.username)
+        return str(self.user.username)
+
+    @property
+    def owner(self):
+        return self.user
+
+    # def get_absolute_url(self):
+    #     return reverse("api-postings:post-rud", kwargs={'pk': self.pk}) '/api/postings/1/'
+    
+    def get_api_url(self, request=None):
+        return api_reverse("api-postings:post-rud", kwargs={'pk': self.pk}, request=request)